Once this configuration is completed, the Ephesoft server will be accessing Active Directory via LDAP, but not LDAPS. Although the configuration will allow you to specify “ldaps://” in the URL at this point, this configuration will not work. When the server tries to connect, the following error will be seen in the “catalina.out” log file:

In the “dcma” log files, you will also see errors about “Invalid Credentials”. This can be misleading, as the error is truly due to the connection failing, and not due to the login credentials themselves.

The basic issue is that the JDK does not have a certificate for the Active Directory server, so it has no way to validate the secure connection. Resolving this issue is straightforward: the certificate file should be installed into the JDK’s certificate store.

Perform the following steps to enable LDAPS for the connection:

Obtain the certificate file for the Active Directory server that you are trying to connect to. Although setting up Active Directory for LDAPS is beyond the scope of this article, there is a thorough guide available here:

It may be possible to also export the certificate from a browser like FireFox so that it can then be imported into your JDK’s truststore.

Once the certificate file has been obtained, it will need to be added to the JDK truststore. By default, the JDK will use ‘cacerts’ as its truststore, and it will be located in:<Install Location>\jdk\jre\lib\security\cacerts

By default, the ‘cacerts’ truststore has a password of ‘changeit’.

To import the certificate, the ‘keytool’ application may be used. The ‘keytool’ application is provided as part of the JDK installation. It can be run from the command line, and will be found in the “jdk\bin” directory of your JDK installation.

Assuming the certificate file is “ad-myserver.crt”, the following commands will install the certificate into the “cacerts” truststore:

Once this has been done, be sure to update the LDAP URL to utilize “ldaps://” instead of “ldap://”, and to change the port from “389” to “636”. Port 636 is the standard port used for an LDAPS connection. If you are connecting to the Active Directory Global Catalog on port “3268” with LDAP, then you would need to change that to “3269” for LDAPS.